I would like to propose introducing an optional integrity check in the XML encryption standard.
Specifically,
an optional attribute or child element in DataReference and KeyReference. The check can be the SHA-1 digest of the cleartext.
The checksum may be used in the following situation:
- the decrypting party does not have access to only part of the document
- it is considered too expensive to appy PK signatures on individual parts of the doc
- the party that can decrypt the encryption-key, does not have access to the encrypted data. The party that has access to the encrypted data cannot decrypt the encryption-key.
This can provide a cheap and secure alternative to PK signatures, to protect against intentional tampering of the ciphertext.
regards
SSH